Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"

Posted by Antoine Riard

Oct 16, 2023/16:57 UTC

A new transaction-relay jamming attack has been discovered, posing a risk to lightning channels' funds safety. This attack involves replacement cycling, where a malicious counterparty evicts honest HTLC-timeout transactions from the mempool and replaces them with their own higher fee transactions. Major lightning implementations have implemented mitigations for this attack, including aggressive rebroadcasting and local-mempool preimage monitoring.

While lightning channels are the primary target, other bitcoin applications using timelocks or multi-party transactions could also be affected. Developers and operators of these applications are encouraged to investigate potential disruptions caused by replacement cycling attacks.

There is also concern about package malleability pinning attacks compromising lightning channel funds safety. Mitigations have been proposed, but replacement cycling attacks may undermine these measures. Further research and development are needed in this area.

The discovery of this attack has prompted the release of mitigations and efforts to improve network security. The email concludes by inviting technical peers and the bitcoin community to analyze the issue and provide dissenting viewpoints if necessary, emphasizing the importance of verifying information.

Link to Raw Post

Thread Summary (69 replies)

Oct 16 - Nov 17, 2023

Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback